Control units are electronic modules which, for instance, are used in motor vehicles for the control and regulation of functional sequences. For this purpose the control units are assigned to the particular components of the motor vehicle whose operation will be controlled with the aid of the assigned control unit. In order to do so, the control unit reads in data acquired by sensors and influences the operation by controlling actuators.
The described method is used in conjunction with an electronic security module which is utilized in a control unit, especially in the automotive field, in security-relevant areas. In most applications in the security-relevant areas the manipulation-proof or non-monitorable storing of data is an essential requirement. Cryptographic keys, which are utilized in symmetrical or asymmetrical encryption methods, are used for this purpose.
The employed codes and encryption methods constitute secrets that need to be kept hidden from attackers. Other uses in security-relevant areas, for instance, concern the protection against unauthorized modifications, such as the storing of changed serial numbers or odometer readings, the prevention of unauthorized tuning measures, etc.
Hence it is necessary to provide secure environments in control units, in which functionalities that must have access to and/or modify these secrets can be executed. These environments normally have a secure computer unit or CPU, also referred to as secure CPU, as well as a storage module. An environment of this type is called a hardware security module (HSM) in this context. It represents a high-performance module which includes hardware and software components and improves the security and trustworthiness of embedded systems. The HSM helps in particular in protecting security-critical applications and data. The security costs are also able to be reduced by an HSM, while effective protection against attackers is offered at the same time. As far as the basic structure of an HSM is concerned, reference is made to FIG. 3.
When third parties attack a control unit, they attempt to manipulate the operation of the main computer provided in the control unit and/or the functional sequence of the control unit software. If a manipulation is detected, either only a detection of the manipulation in the region of embedded systems or in the embedded region occurs, or an operation under emergency conditions is triggered. Healing of the system, i.e., the control unit and the software that is running thereon, takes place only if explicit reprogramming is carried out in the customer service facility. In the field of consumer electronics, e.g., in the case of TV receivers, smartphones, etc., self-healing is triggered from the outside, for instance by a user, server, etc.